[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Crypto signing of packages

> * Three or four Project master keys held by separate people,
> maintainers' working keys must be signed by some n-out-of-m of them.
> * Revoke Project master keys by n-out-of-m of them; this way we can
> gradually leave bad old keys behind.

I don't think we need project master keys.  What's wrong with just
having a maintainer for a keyring, and distributing that.  It could
be signed by the keyring maintainer (Igor) and distributed widely.
Then the only way it could be compromised is if Igor's private
key and PGP passphrase were stolen.  Even in the case of 
that unlikely event, we should still be able to regain control of
the keyring.


 - Jim

Attachment: pgpqgmOLEhccn.pgp
Description: PGP signature

Reply to: